Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 592
Access Control Lists, IP ACLs
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 592 highlights
9 Access Control Lists OS10 uses two types of access policies - hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine IP, TCP, or UDP packets, and an action to take such as forwarding or dropping packets at the NPU. ACLs permit or deny traffic based on MAC and/or IP addresses. The number of ACL entries is hardwaredependent. ACLs have only two actions - forward or drop. Route-maps not only permit or block redistributed routes but also modify information associated with the route when it is redistributed into another protocol. When a packet matches a filter, the device drops or forwards the packet based on the filter's specified action. If the packet does not match any of the filters in the ACL, the packet drops (implicit deny). ACL rules do not consume hardware resources until you apply the ACL to an interface. ACLs process in sequence. If a packet does not match the criterion in the first filter, the second filter applies. If you configured multiple hardware-based ACLs, filter rules apply on the packet content based on the priority NPU rule. Route maps Route-maps are software-based filtering in a routing protocol redistributing routes from one protocol to another and used in decision criterion in route advertisements. A route-map defines which of the routes from the specified routing protocol redistributed into the target routing process, see Route-maps. Route-maps with more than one match criterion, two or more matches within the same route-map sequence have different match commands. Matching a packet against this criterion is an AND operation. If no match is found in a route-map sequence, the process moves to the next route-map sequence until a match is found, or until there are no more sequences. When a match is found, the packet is forwarded and no additional route-map sequences process. If you include a continue clause in the route-map sequence, the next route-map sequence also processes after a match is found. The S5148F-ON platform has the following limitations: • ACL counter does not support byte count. • ACL rule does not look up the next header for IPv6 packets. • L2 Egress ACL does not work for unknown unicast traffic. • L2 User ACL has higher priority than the L3 User ACL. • You cannot modify or extend the hardware table for each ACL type. • In Ipv6 packets, only the protocol number of first header gets matched. • The egress Deny ACL entry does not block soft-forwarded packets and CPU-originated ICMP packets. IP ACLs An ACL filters packets based on the: • IP protocol number • Source and destination IP address • Source and destination TCP port number 592 Access Control Lists